Cyber Security Agency of Singapore - FAQ

Frequently Asked Questions

Advanced Search

Advanced Search

Close Panel

All of these words

This exact phrase

Any of these words

Without these words

Search within:

CSA
Whole of Government

Expand All

Cybersecurity Audit for CII

SingHealth Committee of Inquiry (COI) Audit

1.	Can the auditor opt not to audit the COI recommendations that are “Not Applicable”, “Not Implementable”, and “To be Implemented”? The auditor must include all COI recommendations within the COI audit scope regardless of their implementation status. The auditor must validate all implementation statuses of the SingHealth COI recommendations and; ascertain the adequacy and effectiveness of the implemented controls, including the interim and compensating controls put in place to address the risks mentioned in the COI report. Auditors are to refer to the audit guidance document titled “Guidelines For Auditing Critical Information Infrastructure” on CSA’s website (https://www.csa.gov.sg/legislation/supplementary-references) and audit worksheet titled “Implementation of COI Recommendations - Audit Template” for more details on the COI audit requirements.
2.	If Critical Information Infrastructure owners (CIIOs) have completed their cybersecurity audit, will CIIOs be required to conduct another audit on the implementation of the SingHealth COI recommendations? As instructed by the Minister-in-charge of Cybersecurity, CIIOs are required to conduct an independent audit of the implementation of the COI recommendations by end-2020 and submit the audit reports to CSA. To minimise operational burden on the sectors, CII owners can perform the COI audit together with the cybersecurity audit required under the Cybersecurity Act. In the event where CIIOs have completed their cybersecurity audit, CIIOs are required to conduct the COI audit separately, and complete it by 31 December 2020. The COI audit report has to be submitted to CSA no later than 30 days after completion.
3.	What is the COI audit period for which audit evidence is to be obtained? The audit period for which audit evidence is to be obtained should minimally be 12 months from the point the audit begins.
4.	Can auditor submit one audit report for both cybersecurity and COI audits? The auditor can submit (i) one audit report for both cybersecurity and COI audits combined or (ii) two separate audit reports. If the auditor choose to submit one audit report for both audits, the auditor must indicate clearly from which audit were the findings were found, or from where the audit conclusion was drawn. The audit report must follow the report format as stipulated in the audit guidance document titled “Guidelines For Auditing Critical Information Infrastructure” on CSA’s website (https://www.csa.gov.sg/legislation/supplementary-references). For the COI audit, the auditor should also complete an audit worksheet titled “Implementation of COI Recommendations - Audit Template” and submit it together with the audit report.
5.	Why do Critical Information Infrastructure owners (CIIOs) have to implement the SingHealth COI recommendations, given that different sectors have different risks? The 16 COI recommendations serve to (i) build a culture of security; (ii) secure particular aspects of the system; (iii) improve incident response capabilities; (iv) improve post-incident recovery capabilities; and (v) promote collective security. The recommendations were not limited to IHiS or SingHealth and are mandatory to all CIIOs. However, CSA recognises that not all recommendations can be implemented/applicable due to the nature and complexity of the CII environment. For such instances, CIIOs are required to make the assessment, seek formal concurrence from the Sector Lead and identify specific compensating controls to be implemented that would still address the risk.